SPRING 2014
FMI
*
IGF JOURNAL
27
Internal Controls – The Lost Value Proposition
Stephen J. McIntyre, Ernst & Young LLP
Internal control is not a new phrase or a
new topic of discussion, in fact internal
control by all accounts is a relatively
straight forward concept.Why then does
internal control still occupy the agendas
of audit committees, boards and senior
management working groups in both
industry and public sector? Specifically
why, despite the conversations, are the
real benefits and purpose of assessing
internal controls not well understood?
In short, the compliance nature of most
assessments force it on the agenda.
However the objectives of an effective
system of internal control have not been
as well defined as one would expect, and
therefore the value of controls has not
been well understood.
The application of internal controls
at various levels and facets of the
organization will be the main objective
of this ongoing series of articles on this
topic. This article, the first in the series,
will focus on providing an overview of
the key principles in assessing internal
control effectiveness. Future articles
will build on these principles to explore
specific areas and scenarios.
Principles of internal controls
The basic objective of an internal control
is the same, regardless of whether it’s the
result of a specific policy requirement or
simply best practice implementation for
a specific organization. Before exploring
the concept of what is an internal control
we must first consider the reason why
internal controls exist. They exist to
prevent or detect the materialization of
a risk or set of risks. Although internal
control assessments and policies often
omit the word risk in their title, the
controls are meaningless without them.
Risks come in many forms; however
for purposes of this discussion we
will stay within the boundaries of the
organization. Risk categories commonly
include considerations around three
main areas, people, processes and
technology. As such, most discussions
regarding internal controls focus on
these areas:
• Entity level controls (people);
• Business process controls; and
• Information technology general and
application controls.
The fundamental objective of
assessing internal controls, even those
associated with information technology,
is to focus on the consistency of
human behaviour. An effective system
of internal control should provide a
decision maker or stakeholder with the
ability to reasonably expect a specific
outcome or result, thereby reducing
the need for a more detailed assessment
to confirm the result. Let’s explore
this objective further as it is critical to
understanding the value of internal
controls.
The benefits of leveraging internal
controls has been recognized by auditors
for several years, something which can
be best explained by the two main types
of audit approaches: (1) substantive
audits and (2) controls based audits. An
audit opinion, in the context of external
financial statements, is a high degree of
assurance (usually 95%) over the topic
of assessment. The degree of assurance
in these two audit approaches doesn’t
vary. However, the methodology to
arrive at the assurance does.
In a substantive type audit, an auditor
gathers an appropriate amount of
evidence to support his or her opinion
on the subject. The larger the volume
of underling information being audited,
the greater the extent of substantive
evidence required to provide the
required level of audit assurance (95%
assurance). In other words, the higher
volume of information, the higher
degree of effort required to audit that
information.
A control based audit, in contrast,
allows an auditor to identify the key
risks associated with processes which
produce the results being audited as
well as any key controls that mitigate
(prevent or detect) the materialization
of those risks. The advantage of this
approach is that it reduces the extent
of testing required to provide the same
95% level of audit assurance. This is
specifically relevant in situations where
high volume, low individual value
type transactions are present. If the
auditor can say they understand how
the transactions have been treated and
more importantly the consistency with
which they have been treated (i.e. the
controls), it reduces the risk of errors
occurring in that population and
therefore reduces the work required to
arrive at an opinion.
Are we simply examining internal
controls to reduce the audit fees, or is
there something more tangible that
organizations can learn to move beyond
a compliance view of internal controls?
The short answer is yes; controls can and
must be more relevant to organizations
than simply a way to reduce audit fees
and effort. To explore why this is the
case we must first come back to the
definition of an internal control.
The critical success factor in
assessing the effectiveness of an internal
control is the consistency with which
